PayPal Express Checkout for nopCommerce 3.0 & 3.10

a.m. wrote:

Andrew, please.
Nobody keeps secure information in clean text. It's the same as keep user password not encrypted.
Could you please change couple lines of code, just encrypt at least API Signature and API password (PaymentPayPalExpressCheckoutController -> Configure()).

Not for me, I'll change it anyway.
But just for people who are not developers.

Thank you!

kaunuk wrote:
What do you mean? What exactly should be encrypted? And where?

P.S. I'm not the author of this plugin. The author of this forum topic is. We've just upgraded it to version 3.10 from 3.00

a.m. wrote:

Configure methods  for beginning.

here is decryption

var model = new ConfigurationModel
{
ApiSignature = _payPalExpressCheckoutPaymentSettings.ApiSignature
Password = _payPalExpressCheckoutPaymentSettings.Password,
Username = _payPalExpressCheckoutPaymentSettings.Username,
}

here is encryption

if (IsLogoImageValid(model.LogoImageURL, out validationErrors))
{
_payPalExpressCheckoutPaymentSettings.ApiSignature = model.ApiSignature;
_payPalExpressCheckoutPaymentSettings.Password = model.Password;
_payPalExpressCheckoutPaymentSettings.Username = model.Username;
}

Then need to decrypt in

GetRequesterCredentials()

method.

I checked database afterwards, username, password and API in clean text in database.
Which is totally unsecure. Change it - just 3 minutes. But will be very helpful.

I wanted to use this plugin, but because security issue, I started to write own plugin.

public string GetVersion()
{
    return "98.0";
}

current version is "106.0"

latest version possible to take from wdsl description. tomorrow at work will poste code sample for getting latest version.

Here is a bit let reliable way to get latest version

        
private string GetAPIVersion()
{
    XmlTextReader reader = new XmlTextReader("https://www.paypalobjects.com/wsdl/PayPalSvc.wsdl");
    ServiceDescription wsdl = ServiceDescription.Read(reader);
    return (wsdl.ExtensibleAttributes.Where(a => a.Name == "ns:version").Count() > 0) ? wsdl.ExtensibleAttributes.Where(a => a.Name == "ns:version").Select(a => a.Value).FirstOrDefault() : "106.0";
}

kaunuk wrote:

I wouldn't do this. We coded against a specific version, getting the latest one from wsdl might mean the gateway didn't work if there are breaking changes.

Also, feel free to encrypt and decrypt the user/pass/api key, but you should be using SSL in admin. If your database is stolen then you can change the PayPal settings in paypal.com. This is not user data and other plugins work the same.

thought wrote:

Hm. Didn't think about version. Ok, will follow your advice.
About SSL, definitely admin area will use SSL, but data encrypted looks much more safe and give a peace of mind, as an extra protection. As well i don't know what can be if wrong person will get credentials.

After all, it's just a good practice to encrypt data that have to be secured.

Big issue with currency conversions, the site converts say 50 pounds to 75 dollars, the pugin charges 75 pounds, same for euros.

How to install it? There 2 folder. One in plugin. There other one i dont know where to put. Help please. It look great but i cannot get it function

We're sorry, an internal error occurred.

Our supporting staff has been notified of this error and will address the issue shortly.

We apologize for the inconvenience.

Please try clicking your browsers 'back' button or try reloading the home page.

If you continue to receive this message, please try again in a little while.

Thank you for your patience.